Boards Must Treat Tech as Strategic Risk

New research published in January 2025 found that corporate boards in Barbados and the Caribbean face significant challenges in providing effective cybersecurity oversight. The study, by Dr Ron Sookram of the Arthur Lok Jack Global School of Business, identified limited understanding of cyber risks, inconsistent reporting practices, and a lack of specialised expertise as the defining gaps.

This is not a Caribbean anomaly. Globally, cybersecurity is now ranked the biggest underrated risk by public company directors, according to the 2026 What Directors Think report. But the gap between awareness and action is particularly acute in our region — and the cost of that gap is rising with every digital investment organisations make.

The PwC Caribbean Corporate Governance Pulse Survey paints a telling picture. Good intentions are widely acknowledged. Meaningful action lags significantly. Boards recognise that change is needed, from diversity to climate risk management, but those intentions are not translating into governance reform at the pace the environment demands. Technology risk sits squarely in this pattern.

Why Technology Is No Longer an IT Question

For most Caribbean boards, technology has historically been a management matter. The CEO commissioned a system. The CIO or IT manager oversaw implementation. The board received a report. That governance model made sense when technology was a back-office function. It is no longer appropriate when technology is the business.

Consider what a modern Caribbean bank, insurer, or utility actually is. Its payment rails are technology. Its customer relationship exists through a mobile app. Its regulatory submissions run on software. Its risk models depend on data quality. When any of these systems fail — through cyberattack, poor implementation, or vendor failure — the impact is not operational. It is existential. Boards that treat this as someone else’s responsibility are not exercising governance. They are avoiding it.

The Central Bank of Trinidad and Tobago’s Cybersecurity Best Practices Guideline, updated in 2025, explicitly requires board-level oversight of cybersecurity. This is a regulatory signal about where accountability sits. But regulatory compliance sets a floor, not a ceiling. The boards adding real value are those that have moved beyond the minimum.

“Technology strategy divorced from business strategy is just expensive IT procurement.”

What Effective Board Oversight Actually Looks Like

Effective board oversight of technology does not require every director to become a technologist. It requires the board to ask different questions — consistently, rigorously, and with genuine curiosity about the answers.

When approving a digital transformation programme, ask: what is the fallback if this fails mid-deployment? Who owns the vendor relationship, and what are our contractual exit rights? Has our cybersecurity posture been independently assessed this year? When reviewing the IT budget, ask: are we underinvesting in security relative to our digital footprint? When a major project is delayed or over budget, ask: is this a governance failure, a vendor management failure, or a requirements failure — and which of those is the board responsible for?

These are not technical questions. They are governance questions. And they belong on the board agenda alongside capital allocation, talent strategy, and risk management — because in 2026, they are all the same conversation.

The boards making genuine progress have typically done three things. They have appointed at least one director with credible technology experience. They have created a direct reporting line from the technology function to the board, not filtered through a management summary. And they have commissioned an independent technology risk assessment that the board reviews and acts on annually.

The Accountability Question

Dr Sookram’s research recommends that Caribbean boards prioritise cybersecurity as a strategic imperative, invest in board-level training, recruit directors with specialised expertise, and establish structured reporting mechanisms. These are not radical suggestions. They are the minimum standard for a board governing a digitally-dependent organisation in 2026.

The question for every Caribbean board is not whether technology risk belongs in the boardroom. It does, and regulators are increasingly making that explicit. The question is whether the board is prepared to own that responsibility — with the same rigour, the same accountability, and the same willingness to ask uncomfortable questions that it brings to financial risk, legal risk, and reputational risk.

Technology is no longer a function. It is the foundation. Boards that govern it accordingly will protect their organisations. Those that do not are assuming a risk they have not formally accepted.